More than 600 million registered malicious apps on Google Play

Experts analyze the “most notorious” cases of malware for Android that infiltrated the app store. Users often think that installing apps from Google Play is a sure thing. After all, it is the official store of all those that exist for Android, but on this platform you can find more than three million unique applications, most of which are regularly updated, and to thoroughly examine all of them is something that exceeds the resources of one of the largest companies in the world.

Malicious app creators are aware of this and have developed a number of techniques to infiltrate theirs creations on Google Play. Kaspersky experts analyzed the most famous cases of 2023 applications malicious ones sold in the official Android store, with total downloads exceeding 600 million.

50,000 downloads: iRecorder infected app that spies on users iRecorder, an intuitive screen recording app for Android phones, was uploaded to Google Play in September 2021. Later, in August 2022, its developers have added malicious functionality: ecode from the AhMyth remote access trojan, which caused everyone’s phones to
Users who installed the app would record sound from the microphone every 15 minutes and send it to the app creator’s server.

By the time researchers discovered malware in May 2023, iRecorder application It has been downloaded more than 50,000 times. This example shows one of the ways malicious apps manage to get to Google Play. First, cybercriminals publish a harmless app on the store to make sure it passes all moderation checks.

Later, when gained a user base and a certain reputationit is modified by a malicious function that is introduced through an update.
620,000 downloads: Fleckpe Subscription Trojan Also in May 2023, our experts found several apps on Google Play infected with the Fleckpe Subscription Trojan. For this moment, they already had achieved 620,000 installations. curiouslythis application They were uploaded by different developers. And this is another common tactic: Cybercriminals create numerous developer accounts in the store for yes, even if the moderators block them, they can just upload app similar to your other account.

When the infected application is executed, the payload the main malicious code is downloaded to the victim’s phone, after which the Trojan would connect to the command and control server and transmit information about the country and the telephone operator. Thanks to this information, the server gave instructions on how to proceed. Fleckpe then opened websites with
paid subscriptions in a browser window invisible to the user, and by intercepting the confirmation codes of received notifications, they subscribed the user to unnecessary services that they paid for via mobile operator contract. 1.5 million downloads: Chinese spyware. In July 2023, Google Play was discovered to host two malicious apps for
file management: one with a million downloads and the other with half a million.

Despite the developers’ assurances that the apps did not collect any data, researchers found that the two transferred a lot of user information to servers in China, including data such as contacts, real-time geolocation, phone and phone network information, photos, audio, video files and more. To prevent the user from uninstalling them, infected apps were hiding their desktop icons, another common tactic used by mobile malware creators. 2.5 million downloads: background adware In a recent Google Play malware discovery in August 2023, researchers found up to 43 apps ― including but not limited to TV/DMB Player, Music Downloader, News, and Calendar ― that were secretly loading ads when the user’s phone screen He was turned off.

In order to perform their activity in the background, the applications asked the user to add them to the exclusion list to save power. Naturally, affected users suffered from reduced battery life. These apps had a total of 2.5 million downloads, and their target audience was primarily Korean. 20 million downloads: fake apps that promise rewards Study published in early 2023 discovered several applications suspicious in Google Play with over 20 million downloads between them.

These applications were mainly advertised as health monitoring and They promised users cash rewards for walks and other activities, as well as by watching advertisements or installing other applications. More specifically, the user received points for performing these actions, which supposedly could later converted to real money. The only problem was getting a award, it was necessary to collect so many points that in It was actually impossible to achieve.

Apps on Google Play that promise rewards for walking and watching ads 35 million downloads: Minecraft clones with adware within Google Play have also hosted malicious games this year, mostly disguised as Minecraft, which remains one of the most popular titles in the world. In April 2023, 38 Minecraft clones were discovered in the official store
Android, with a total of 35 million downloads. These applications have hidden themselves inside adware with a very relevant name: HiddenAds.

When opening infected applications, they “displayed” hidden ads without the user’s knowledge. This in itself was not a serious threat, but such an operation could affect performance device and battery life. And infected apps They can always switch to a much less harmless monetization scheme later.

This is another standard tactic of Android malware creators: they easily switch between different types of malicious activity depending on how profitable they are at any given time. 100 Million Downloads: Data Harvesting and Click Fraud Also in April 2023, another 60 apps on Google Play were found to be infected with adware that researchers they called Goldoson. Together, these apps have had more than 100 million downloads on this official store. This malware also “showed” hidden ads when opening web pages within the app in the background. In addition, the malicious applications collected user data, such as information about installed applications, geolocation, addresses of devices connected to the phone.via Wi-Fi and Bluetooth, and more. Goldoson apparently infiltrated all these applications along with the infected libraryor many legitimate developers who simply didn’t know what it contained this malicious functionality.

451 million downloads: mini-game ads and data collection We’re wrapping up with the biggest case of the year: May 2023, a team of researchers found 101 ineligible apps on Google Play, with a total of 421 million downloads. Inside each of them was a library with SpinOk code.

Soon after, another team of researchers discovered the 92nd more apps on Google Play which had the same library as SpinOk, but with a slightly more modest number of downloads: 30 million. In total, nearly 200 apps containing the SpinOK code were found, with a total of 451 million downloads from Google Play. This is another case where
The malicious code was delivered to applications from a third-party library.

Apparently, the apps task was to display intrusive mini-games that promised cash prizes. But Additionally, the SpinOK library It was capable of collecting and sending user data and files to its developers’ command and control server in the background.

Given this scenario, the conclusion is clear: malware in the Google Play It’s much more common than you think: infected apps have a total of more than 500 million downloads. Therefore, Kaspersky experts recommend:

● Despite everything, official stores remain the only safe sources for downloading applications; Doing it elsewhere is much more dangerous, so we recommend you not do it.
● Every time you download a new app, check the store page carefully to make sure it’s a genuine app. Pay special attention to the name of the developer. Cybercriminals often clone popular apps and publish on Google Play with similar names, icons and descriptions to attract users
user.
● Do not be guided by the overall rating of the application, as it is easy to change. It’s also easy to fake rave reviews. Better focus on negative reviews with low ratings; There you can usually find a description of any problems related to the application.

● Make sure you have reliable protection installed on all yours android devices, so you’ll be alerted if a trojan tries to sneak onto your phone or tablet. There are solutions on the market that allow users to manually scan when installing new applications. In the Kaspersky portfolio of consumer solutions, consisting of Kaspersky Standard, Kaspersky Plus or Kaspersky Premium, scanning is performed automatically, protecting you from infected applications.